DNS

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.

In a Cross Forest, the steps to migrate users are quite complicated and even in the official articles of Technet there is no clear recommendation on which approach to take .. From an experience, I mention and simplify which way to go and how to use Powershell to make your life easy in such projects.

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logon server is available.

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and External URLs the same IV. Address book download issue

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External URLs the same. IV. Addressbook download issue.

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and External URLs the same. IV. Address book download issue.

So if you administer name servers using BIND, you need to update NOW.
Unfortunately, that means you cannot wait for binaries for your distribution to become available, you need to install from source.

Problems:

You need to install a development environment in your DNS servers

Configuring and compiling can take a long time, using resources

You need to uninstall the current packages, without losing your zone files and named config, including startup scripts.

My solution: configure a test server, configure, compile and install the new version of BIND from source, then copy all the files to the production servers. This way you disrupt the service for 20 sec max.

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router.

Problem:
I had an issue especially with mobile devices that refused to use DNS information supplied via DHCP, in general they seem to use service provider DNS information that is used by data (3G/4G) services and override wifi with it.
My aim was to get all DNS traffic to go to OpenDNS for filtering.

My firewall is a Zywall USG 50, I'm not sure how it compares with yours for features but I had to experiment to find a way to not just
#a. block DNS requests to unapproved addresses
but also
#b. take those requests and redirect them so that the end user has a seamless experience and no reconfiguration for any devices.

In my mind I wanted a router option that simply allowed me to direct all traffic on port 53 (DNS uses TCP and UDP on this port) to a specified address, but as is often the case, manuals didn't make it obvious that this was even possible let alone how to go about it.

In the end the answer came through NAT (network address translation) rather than DNS forwarding options.

With the USG 50, DNS forwarding only really helps when a client directly requests DNS from the router itself. (*Make sure you check your router manual before you follow these tips as you may have more options than I do in this case)
In my organization I've set up an internal domain controller for DNS that forwards …

This article will help to fix the below error for MS Exchange servers I. Out Of office not working II. Warning when opening outlook "server.domain.com" III. Warning when opening outlook "autodiscover.domain.com" IV. Make Internal URLs and External URLs the same.

Most Exchange administrators don't check the complete URLs which Exchange uses for serving MAPI clients or miss URLs to set and add certificate names after installing Exchange server. Below are fixes for those errors.

1. First make sure you have a Forward lookup zone named "externaldomain.com" in your internal DNS server.

2. Then create the below A record in the newly created zone which points to exchange CAS/HUB server IP or load balancer IP if you have one.

a) autodiscover.domain.com

b) mail.domain.com (common name)

3. Then make sure you have all the required names added as SANs in your SSL Certificate. The below names should be present for a single domain exchange.

a) mail.domain.com (common name)

b) autodiscover.domain.com

4. Make sure IIS is enabled on the installed certificate.

Type "Get-ExchangeCertificate" in Exchange Management Shell and see IIS enabled or no.

Exchange 2007

Before services enabled in Exchange 2007

After services enabled in Exchange 2007

Use the command shown below to enable the services. You can change the services according to your requirement. but IIS is mandatory.

Occasionally you run into the website or two that will not resolve properly using your own DNS servers. Some people simply set up global forwarders for their DNS server. I don’t recommend doing this because it can cause problems resolving addresses on your local network, especially if you have multiple sub-nets or even multiple routed networks.

The better solution is to use conditional forwarders. Conditional forwarders allow you to specify a DNS server to use for a particular domain. In my case we had problems resolving paypal.com from one of our networks. By setting up a conditional forwarder, we were able to address the paypal problem without causing DNS resolution problems for other domains or our own networks.

Here is how its done on a Windows 2008 DNS Server (all Windows Servers are typical):

1. Open the DNS manage from Administrative Tools int the control panel.
2. Navigate to and right click on Conditional Forwarders under your DNS Server. then select “New Conditional Forwarder”3. Enter the Domain of the site you want to resolve using forwarders4. Enter the DNS Server to use for resolving this domain. I used one of Level3's and one of Google’s in this case. OpenDNS Servers are also a good choice.5. If you use Active Directory, make sure you check the box to store in Active Directory. That way the forwarder will replicate to your other DNS Servers. The default’s are ok for the rest of the settings.…

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone.

The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New Host action. The higher the number of new hosts to be added, the greater the possibility of making a mistake. This article has been created to make the Administrator's life easier.

When the admin is executing the above GUI driven procedure, he is actually executing the dnscmd command followed by some switches and parameters. It seems reasonable to write a batch file that would do this in sequence with a hit of a single button.

The actual dnscmd command syntax is explained below:

dnscmd [ServerName] /recordadd ZoneName NodeName RRType RRData

While the Parameters are the following:

ServerName: Specifies the DNS server the administrator is planning to manage, represented by local computer syntax, IP address, FQDN, or Host name. If omitted, the local server is used.ZoneName: Specifies the zone in which the record resides.NodeName: Specifies a specific node in the zone.RRType: Specifies the type of record to be added.RRData: Specifies the type of data that is expected when using a certain data type.

Based on the above if our ServerName is dt00001.mydomain.com, our ZoneName is …

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums.

I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know other DNS client implementation on other platforms to tell you that this applies everywhere, so other experts please feel free to comment about it.

Saying "Microsoft DNS client" I mean the DNS client service on any Microsoft platform. This is true for workstations, for servers, for domain controllers.

Concept #1: The DNS "Preferred" server

When you configure DNS servers in the IP settings of a NIC on a Windows machine, you may configure what is called a "primary" and "secondary" DNS servers.

In my opinion these terms ("primary" and "secondary") are a very bad choice from Microsoft because in fact the DNS server list can contain more than 2 DNS servers, as you may have already seen if you went to see in the "DNS" tab of the "Advanced" IP settings.
Basically the DNS servers list is an ordered list of as many as you want DNS servers.

Also, the term "primary" make you think that this DNS server has a specific role or function against other "secondary" servers", that this server may have some priority against other servers in the list, which is not the case as I'll try to explain now.

Ok, so what happens when a Windows machine have to resolve a DNS name for the first time after a startup ?

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created.

First, WHAT IS GLUE?
To understand GLUE, you must first understand that DNS is a top-down, recursive, distributed database. Thus, to resolve (on your own) the name host.example.com., you first contact one of the 13 top-level (root) DNS servers and ask about .com. The reply will tell you where to find .com's nameservers, so you'll choose one of those and ask about example.com. The result will tell you where example.com's nameservers are, so you'll choose one of those to ask about host.example.com, whereupon you finally get your reply: 10.0.0.10.

That's all well and good, until you look deeper and see that nameserver entries are NAMES, not IP addresses. So if the nameserver for example.com is dns.example.com, you're going to be stuck -- you can't query the nameserver dns.example.com for the name dns.example.com because its self-referencing. (The term in DNS, is circular.)

That is where GLUE comes in. GLUE is simply an IP address of a nameserver that is provided as "additional data" in the DNS reply from a parent server. So, when I query the .com server for example.com's nameservers, it will reply not just with dns.example.com, but also with the IP address of dns.example.com (10.0.0.100) in the "additional data" area of the response.…

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc. Not all of these version of Windows have the Microsoft web server known as Internet Information Services (IIS) – formerly called Internet Information Server. I don't believe ANY version of Windows installs IIS by default, so you will need to go to Add/Remove Programs in the Control Panel, and "Turn Windows Features on or off", and turn it on. The Starter and Home versions of Windows may not have IIS available at all. For this reason, I recommend using Apache 2.2+ for Windows, it's ALWAYS free.

You can install Apache on any type of operating system, and there is a wealth knowledge available for various issues, configurations, and add-ons available online. Apache is also "open source", which means it is TOTALLY free to use. If you are seeking to get more involved with developing content for the internet in a corporate business environment, you will probably want to get involved with using IIS for Windows, but getting started with IIS is somewhat more difficult (in the authors opinion) because you need to have a more detailed understand of things like DNS, Security, opening ports, and other internet specific details. The Apache Web Server packages can be found at http://httpd.apache.org/download.cgi and I recommend downloading the…

Open Source does not mean free! If you use appache for profit you are soppose to pay. Read the fine detail. Open source is the way code is written. Take a look and see. Unless they have changed it in the last little bit, but i doubt it. If you find out other wise i would be supprised, and i would applogize to you personally.

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs (both IPv4 AND IPv6) into the DNS Domain record for DNS server resolution (NS records) and in turn end up having clients resolve to what could be an unwanted or unreachable subnet (especially with IPv6 enabled since clients will often try to resolve IPv6 first) - this woudl happen in cases where you don't do routing between the networks for the clients or this same server is not a gateway for the clients, thus users cannot resolve domain hosts and records.

This is ALSO the case per microsoft;

"When DNS queries for the domain name or the domain controller's fully qualified domain name (FQDN) are sent to a Windows 2000 domain controller that is running Routing and Remote Access, the domain name or FQDN for the domain controller is resolved to an Internet protocol (IP) address that is used by Routing and Remote Access. DNS Manager displays HOST (A) records for the Routing and Remote Access server IP addresses and Routing and Remote Access client IP addresses with the name of the domain controller and the name of the domain that is used for Active Directory."

2. A Wildcard Record exists for *.domain.com on the public DNS server for domain.com and "Append parent suffixes of the primary DNS suffix" is ticked (TCP/IP settings, Advanced, DNS). Or a Wildcard exists for *.internal.domain.com.

OR

1. domain.com exists in the DNS Suffix Search List.

2. A Wildcard Record exists for *.domain.com on the public DNS server for domain.com.

In either case each Suffix is requested before the multi-label name is submitted.

Examples

In the following examples the detailed responses from NsLookup are available by enabling the Debugging option.

This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team.
In brief, Scavenging is used as follows:

Each record in a zone which has been dynamically registered with an MS DNS Server will have a Time Stamp. The Time Stamp is used in conjunction with the Aging Intervals to determine when a record is Stale. When a record is Refreshed the Time Stamp is updated. The Scavenging process will remove any Stale records it encounters within a zone.

If a system changes IP Address an Update is sent to DNS. An Update will ignore any No-Refresh Interval and update the record data as well as the Time Stamp.

Manually created records are not removed by the Scavenging Process, they have no Time Stamp value and therefore cannot be considered stale.

SOA and NS records tend not to be involved in the Scavenging Process as they are created by a different mechanism; they are not dynamically registered by default, instead they are automatically created.

There are several different systems or services involved with dynamic registration of DNS Records.

DHCP Server

By default Microsoft DHCP updates DNS on behalf of each client. When DHCP is performing updates the clients will not register record directly with the DNS server (while using a lease from that DHCP server). If DHCP does not update on behalf of each client then the client will register directly (if capable, Windows 2000 or higher).

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination.
_____________________________________________________________________
THE CLIENTS RESPONSIBILITY:1) The client tries to contact a remote site using DNS and will send out a DNS query. It will first look at its own records prior to anything else.
--- a)The first place it will look in its own DNS resolver cache
((NOTE: The problem with a DNS resolver cache is you may, once in a while, get a bad record. This will point your client to the wrong IP. You can resolve this by flushing your DNS cache. It doesn't hurt your computer to flush the DNS cache, and it can easily be done by going to the command prompt and typing IPconfig /flushdns))
--- b)Then, the client will look in the C:\Windows\system32\drivers\ect\Host file. This file has to be manually configured.
((NOTE: The problem with a configured HOST file, is if the client does not see the DNS solution in the Host file, it can assume that the query can't be resolved and stop right there. In other words your query will not make it to the server and could time out. If you have a DNS server, these records should NEVER be configured. They are editable by with a text editor, like Wordpad or notepad. It is OK to have the default 127.0.0.1 loopback address for the local HOST.))
…

DNS suffixes are appended, in order, to any single-label query (or multi-label query, set in group policy).

As such, the DNS Suffixes and the appending of are the responsibility of the client, this would be a "1 c". The client then repeats the query (2 to 4) for each suffix until it either gets a non-NXDOMAIN response or it runs out of suffixes to append.

DNS

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.